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Abstract 

We investigate the hardness of estabhshing as many stable marriages (that is, marriages that 
last forever) in a population whose memory is placed in some arbitrary state with respect to 
the considered problem, and where traitors try to jeopardize the whole process by behaving in 
a harmful manner. On the negative side, we demonstrate that no solution that is completely 
insensitive to traitors can exist, and we propose a protocol for the problem that is optimal with 
respect to the traitor containment radius. 

1 Introduction 

After 1123 years of existence, the Byzantine Empire finally collapsed soon after the fall of Con- 
stantinople in 1453 by the Ottoman army (see Figure IT]). The various wars that opposed armies in 
the previous years ravaged their homeland as well as the capital city, as a contemporary reported [1] : 
"The blood flowed in the city like rainwater in the gutters after a sudden storm." 
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Figure 1: Scene from the battle defending Constantinople, Paris 1499 



Allegedly, the main reason for the Byzantine defeat is that there were traitors amongst its 
leading generals |18l I13j . With traitors at their cores, armies suffered significant losses, leaving 
mostly widows, orphans, and devastated homes. After the country was taken and the truce signed, 
the city was to rebuild, starting with its core roots: families. In the ancient days, strict guidelines 
were followed to form new marriages, like coming from the same social circles or being of opposite 
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sex. In a wasted land with few homes still standing, those were no longer sustainable options. 
Stability of marriages was decided to be the most important criterium, rendering every other 
consideration irrelevant. So, general guidelines were to be followed by all survivors: (i) do your 
best to make your marriage last, (ii) don't be picky about whom you are married to, and (in) 
don't make others' marriage fail. Still, the Byzantine traitors that led the armies to their doom 
were hidden amongst the surviving population, and managed somehow to remain unnoticed. Their 
purpose was to cause as much havoc as possible, by any means necessary, without being caught for 
their socially inconvenient behavior. So, the reconstruction of the city could have been jeopardized 
by few nasty Byzantine brides or bridegrooms. 

The core problem Byzantine authorities were facing to establish as many stable marriages as 
possible lied in the following two observations: 

1. the population was heavily shocked by the war that just stopped, and their state of mind 
was somewhat erratic: some could not remember they were previously married, some though 
they were previously married but never were, some though they were engaged and expected a 
response that would never come because the engagement was not remembered by the expected 
bride or bridegroom, etc, 

2. the traitors could simulate emotional shock in order to stay undiscovered yet try to perturbate 
the global marriage process. 

So, the only difference between the general population and the traitors was their willingness to 
accommodate the stable marriage doctrine in their daily life. 

In this paper, we investigate the hardness of establishing as many stable marriages (that is, 
marriages that last foverer) in a population whose memory is placed in some arbitrary state with 
respect to the considered problem, and where traitors try to jeopardize the whole process by 
behaving in a harmuful manner. On the negative side, we demonstrate that no solution that is 
completely insensitive to traitors can exist, and we propose a protocol for the problem that is 
optimal with respect to the traitor containment radius. 

2 Model and Definitions 

2.1 State Model 

A Byzantine city S = {V,L) consists of a set F = {wi,U2, • • • ,Vn} of potential bride^ (or simply 
brides) and a set L of potential marriages. A potential marriage is an unordered pair of distinct 
potential brides (this takes place before the Internet ages, so long distance marriage is not supposed 
to last forever, and only marriages occurring in a vicinity may be stable). A Byzantine city S can 
be regarded as a graph whose vertex set is V and whose link set is L, so in the sequel we use graph 
terminology to describe a Byzantine city S. We use the following notations: n = \V\, m = \L\ and 
d(u, v) denotes the distance between two nodes u and v {i.e the length of the shortest path between 
u and v). 

Potential brides u and v are called neighbors if {u, v) G L. The set of neighbors of a potential 
bride v is denoted by N^. We do not assume existence of unique identifiers for potential brides 
(Birth records have been destroyed by the war, and memory of each potential bride is unreliable). 



'^Note that we use the word "bride" in the sequel of this paper to denote both brides and bridegrooms. 



Instead we assume each potential bride may distinguish its neighbors from each other by locally 
labeling them. 

For the sake of generality and the lack of reports concerning the remains of Constantinople after 
it has fallen, we consider that the Byzantine city has arbitrary yet connected topology. We adopt 
the shared state model H] as a communication model, where each potential bride can directly and 
instantaneously get the current status of its neighbors. 

The current memory that is maintained by a potential bride is denoted by the term of state, 
and may be further divided into variables. A potential bride may take actions that are prescribed 
by the authorities during the reconstruction of the Byzantine city. An action is simply a function 
that is executed in an atomic manner by the potential bride. The action executed by each potential 
bride is described by a finite set of guarded commands of the form (guard) — > (statement). Each 
guard of potential bride u is a Boolean expression involving the state of u and its neighbors. 

A global state of a Byzantine city is called a configuration and is specified by the product of 
states of all potential brides. We define C to be the set of all possible configurations of a Byzantine 
city S. For a potential bride set R '^V and two configurations 7 and 7', we denote 'j >-^ 'j' when 
7 changes to 7' by executing an action of each potential bride in R simultaneously. Notice that 7 
and 7' can be different only in the states of potential brides in R. For completeness of execution 
semantics, we should clarify the configuration resulting from simultaneous actions of neighboring 
potential brides. The action of a potential bride depends only on the current state at 7 and the 
states of the neighbors at 7, and the result of the action reflects on the state of the potential bride 
at 7'. 

We say that a potential bride is enabled in a configuration 7 if the guard of at least one of its 
actions evaluates as true in 7. A schedule of a Byzantine city is an infinite sequence of potential 
bride sets. Let Q = R^, R?, ... be a schedule, where i?* C y holds for each i {i > 1). An infinite 
sequence of configurations e = 70,71,... is called an execution from an initial configuration 70 

by a schedule Q, if e satisfies 7j_i i— )• 7j for each i {i > 1). Potential bride actions are executed 
atomically, and we distinguish some properties on the scheduler (or daemon) . A distributed daemon 
schedules the actions of potential brides such that any subset of potential brides can simultaneously 
execute their actions. We say that the daemon is central if it schedules action of only one potential 
bride at any step. The set of all possible executions from 70 G C is denoted by E^^. The set of all 
possible executions is denoted by E, that is, E = \J ^^E^. We consider asynchronous Byzantine 
cities but we add the following assumption on schedules: any schedule is central and fair (meaning 
that only one enabled potential bride is chosen at any step and that no potential bride can be 
infinitely often enabled without being chosen by the scheduler) 

In this paper, we consider (permanent) Byzantine faults: a Byzantine potential bride (i.e. a 
Byzantine-faulty potential bride) can exhibit arbitrary behavior independently of its actions. If v 
is a Byzantine-faulty potential bride, v can repeatedly change his (or her) state arbitrarily. For a 
given execution, the number of faulty potential brides is arbitrary. 

2.2 Self-Stabilizing Protocols Resilient to Byzantine Faults 

As the problem we solve is meant for stability and should reach a global fixed point, we use a 
specification predicate (shortly, specification) to define it. This specification predicate is denoted 
by spec{v), for each potential bride v. A configuration is a desired one if every potential bride 
satisfies spec{v). A specification spec{v) is a Boolean expression on variables of P^ (C P) where P^ 



is the set of potential brides whose state (or part of) appear in spec{v). The variables appearing 
in the specification are called output variables (shortly, 0-variables) . 

A self-stabilizing protocol ([11E1120]) is a protocol that eventually reaches a legitimate configu- 
ration, where spec{v) holds at every potential bride v, regardless of the initial configuration. Once 
it reaches a legitimate configuration, every potential bride never changes its 0-variables and always 
satisfies spec{v). From this definition, a self-stabilizing protocol is expected to recover from any 
number and any type of transient faults. However, the recovery from any configuration is guar- 
anteed only when every potential bride honestly executes its action from the configuration, i.e., 
self-stabilization does not consider the possibility of Byzantine-faulty potential brides. 

When (permanent) Byzantine-faulty potential brides exist, they may not satisfy spec{v). In 
addition, honest potential brides near the Byzantine-faulty potential brides can be influenced and 
may be unable to satisfy spec{v). Nesterenko and Arora [T7] define a strictly stabilizing protocol as 
a self-stabilizing protocol resilient to unbounded number of Byzantine- faulty actors. 

Definition 1 (c-honest potential bride) A potential bride is c-honest if it is honest (i.e. not 
Byzantine- faulty) and located at distance more than c from any Byzantine-faulty potential bride. 

Definition 2 ({c, f) -containment) A configuration 7 is (c, /)-contained for specification spec if, 
given at most f Byzantine- faulty potential brides, in any execution starting from 7, every c-honest 
potential bride v always satisfies spec{v) and never changes its 0-variables. 

The parameter c of Definition [2] refers to the containment radius defined by Nesterenko and 
Arora [T7]. The parameter / refers explicitly to the number of Byzantine- faulty potential brides, 
while [TTj dealt with an arbitrary number of Byzantine faults (that is, / G {0 . . . n}). 

Definition 3 ({c, f) -strict stabilization) A protocol is (c, /)-strictly stabilizing for specification 
spec if, given at most f Byzantine-faulty potential brides, any execution e = 70,71, • • • contains a 
configuration ji that is (c, f) -contained for spec. 

A specification is r-restrictive [T7] if it prevents combinations of states that belong to two 
potential brides u and v that are at least r hops away. An important consequence for our purpose 
is that the containment radius of protocols solving r-restrictive specifications is at least r. 

3 Specification 

The problem of maximal marriage construction is a well known problem in Distributed Computing. 
Given a graph G = {V, E), a marriage M on G is a subset of E such that any node of V belongs to 
at most one edge of M. A marriage is maximal if there exists no marriage M' such that AI C M' . 

Specification 1 (Maximal Marriage) 
Liveness: The protocol terminates in a finite time. 
Safety: In the terminal configuration, there exists a maximal marriage 



Each potential bride v has a variable pref^ which belongs to the set N^ U {null}. This variable 
refers to the preferred neighbor of v for a marriage. For example, \i prefv = u then v wants to add 
the edge {v, u} to the marriage. For any potential bride f , we define the following set of predicates 
over the Byzantine city: (i) proposing^ denotes the fact that v is proposing marriage to some 
neighbor u, but that u has not shown interest yet, (ii) married^ denotes that v has proposed u and 
u has proposed v back, (iii) doomed^ denotes that v has proposed neighbor u, but u has proposed 
somebody else than v, (iv) dead^ denotes that v has no hope of getting married ever (all neighbors 
proposed to somebody else), and (v) single^ means that v has not proposed anyone and has at 
least one neighbor likewise. Formally: 

proposing^ = (prefv = u) A {prefu = null) 

niarriedy = (pref^ = u) A {prefu = v) 

doomedy = {pref^ = u) A {prefu = w) A{w ^ v) 

deady = {prefy = null) A (Vn G N^ , married{u) = true) 

singleu = {prefy = null) A (3n G Ny,married{u) / true) 

It is easy to verify that for any configuration 7 and for any potential bride v, exactly one of 
these predicates holds for t; in 7. 

If the Byzantine city is subject to Byzantine failures, obviously no protocol can satisfy the 
classical specification of the problem. Now, a potential bride v is considered locally legitimate 
when it satisfies the following predicate: spec{v) = marriedv V deadv We now describe the global 
properties that are satisfied by a (c, /)-contained configuration for spec. Informally, we can prove 
that there exists a maximal marriage on a subset of S in such a configuration and that this subset 
includes at least the set of c-honest potential brides. In the following, Vc denotes the set of c-honest 
potential brides (i.e., Vc = {v ^ V\ib G B,d{v,b) > c}). 

Definition 4 ({c,^) -marriage subset) Given an integer c > and a configuration 7, the (0,7)- 
marriage subset S"*^ of S is the subset induced by the following set of potential brides: 

V' = VcLl{veV\ Vc\3u G Vcpref^, = uA prefu = v} 

Now, we can state formally the property satisfied by any (c, /)-contained configuration for spec. 

Lemma 1 In any {c, f) -contained configuration for spec, there exists a maximal marriage on the 
subset S"*^. 

Proof Let 7 be a (c, /)-contained configuration for spec. Hence, 7 satisfies Vf G Vc, married^ V 
deady. Let us define the following edge set Mc = {{v,prefu}\v G Vc A prefu / null}. 

First, we show that Mc is a marriage on S*. Indeed, if {v, prefu} is an edge of Mc, then v 
satisfies marriedu (since v satisfies spec{v) and prefu 7^ null by construction of Mc). Hence, we 
have prefpref^ = v. Consequently, v and prefu appear only once in Mc. 

Now, we show that Mc is maximal. By contradiction, assume it is not the case. Consequently, 
there exists two neighbors v and u (with v £ V and u G V) such that {v, u} ^ Mc and M^ = 
Mc U {{v, u}} is a marriage on S**^. Let us study the following cases: 

Case 1: u £ Vc and v G Vc. 

If marriedu A marriedu holds, then {v, u} G Mc by construction that contradicts the hypoth- 
esis. If deadu A deadu holds, then we can deduce that {prefu = null) A {marriedu) (since 



deadv holds), that contradicts deadu- If deady A marriedu (resp. married^ A deady) holds, 
then {v,prefv} G Mc with prefv / u (resp. {u,prefu} G Mc with prefu / f) and we can 
deduce that v (resp. u) appears in two distinct edges of M^. Then, M^ is not a marriage that 
contradicts the hypothesis. 

Case 2: u ^ Vc and v ^ Vc- 

According to the assumption, {u, v} ^ Mc- Since v £ V'\VcAu £ V'\Vc, we have {v,prefy} S 
Mc with prefy ^ u Apref^ G Vc (resp. {u, prefu} £ -^c with prefu 7^ v A prefu £ V'c) and we 
can deduce that v (resp. u) appears in two distinct edges of M'^. Then, M^ is not a marriage 
that contradicts the hypothesis. 

Case 3: u £ Vc and v ^ Vc- 

According to the assumption, {v,u} ^ Mc- Since v £ V'\VcAu £ Vc,we have {v,prefy} £ Mc 
with prefu i^ u A prefu £ Vc (since if prefu = u, then {t;, u} G Mc that contradicts the 
hypothesis) and we can deduce that v appears in two distinct edges of M^. Then, M^ is not 
a marriage that contradicts the hypothesis. 

D 
The result of Lemma [T] motivates the design of a strictly stabilizing protocol for spec. Indeed, 
even if this specification is local, it induces a global property in (c, /)-contained configuration for 
spec since there exists a maximal marriage of a well-defined sub-graph in such a configuration. 

4 Strictly Stabilizing Maximal Marriage 

This section presents our strictly stabilizing solution for the maximal marriage problem. We also 
prove its correctness and its optimality with respect to containment radius. 

4.1 Our Protocol 

Our strictly-stabilizing maximal marriage protocol, called SSMAi is formally presented as Algo- 
rithm [1] The basis of the protocol is the well-known self-stabilizing Maximal Marriage protocol 
by Huang and Hsu |12j, but we allow potential brides to remember their past sentimental failures 
[e.g. an aborted marriage du to the mate being Byzantine- faulty, or a proposal that didn't end 
up in an actual marriage) in order not to repeat the same mistakes forever when Byzantine-faulty 
brides participate to the global marriage process. The ideas that underly the marriage process 
for honest potential brides follows the directives discussed in the introduction: (i) once married, 
honest brides never divorce and never propose to anyone else, (ii) honest brides may propose to 
any neighbor, and if proposed, will accept marriage gratefully, (in) if they realize they previously 
proposed to somebody that is potentially married to somebody else, they will cancel their proposal 
and refrain proposing to the same potential bride soon. A potential bride v maintain two variables: 
prefu, that was already discussed in the problem specification section, and old.prefu that is meant 
to recall past sentimental failures. Specifically, old-prefu stores the last proposal made to a neigh- 
bor that ended up doomed (because that neighbor preferred somebody else, potentially because of 
Byzantine- faulty divorce, or because of genuine other interest that occurred concurrently). Then, 
the helper function nextjv helps v to move on with past failures by preferring the next mate not 
to be the same as previously (in a Round Robin order): the same potential bride that caused a 
sentimental breakup may be chosen twice in a row only if the only one available. 

6 



algorithm 1 SSAiAi: Strictly-stabilizing maximal marriage for potential bride v 

Variables: 

prefy G A'^ U {null}: preferred neighbor of v 
old-prefv G N^: previous preferred neighbor of v 

Function: 

For any u G {v, null}, nexty{u) is the first neighbor of v greater than old-pref^ (according to 
a round robin order) such that prefnexty{u) = "" 

Rules: 

/* Don't be picky: Accept any mate (round robin priority) */ 

(M) :: {prefv = null) A (3n G Ny,prefu = v) — > prefy := nexty{v) 

/* Don't be picky: Propose to anyone (round robin priority) */ 

(5) :: {prefv = null) A (Vu G Ny,prefu ^ v) A {3u G N^^prefu = null) — > pref^ := 

nexty{null) 

/* Don't cause others to break up: give up proposing if doomed */ 

(A) :: {prefv = u) A {prefu ^ v) A {prefu 7^ null) — > old-prefv := prefv\prefv := null 



4.2 Proof of Strict Stabilization 

In their paper |12j , Hsu and Huang prove the self-stabilizing property of their maximal marriage 
algorithm using a variant function. A variant function is a function that associates to any configu- 
ration a numerical value. This function is designed such that: (i) the function is bounded, (ii) any 
possible step of the algorithm decreases strictly the value of the function, and (in) the function 
reaches its minimal value if and only if the corresponding configuration is legitimate. Once such 
a function is defined and its properties are proved, we can easily deduce the convergence of the 
protocol. Indeed, whatever the initial configuration is, the associate value by the variant function 
is bounded (by property (i)) and any execution starting from this configuration reaches in a finite 
time the minimal value of the function (by property (ii)). Then, property (Hi) allows us to conclude 
on the convergence of the algorithm. 

Our proof of strict-stabilization for our protocol also relies on a variant function (borrowed from 
the one of [19]). We choose a variant function where we consider only potential brides of V2. For 
any configuration 7 G F, let us define the following functions: 

^(7) = l{^ ^ V2\proposingy]\ 

^(7) = |{^ £ V2\dooniedy}\ 

7(7) = \{v G V2\singley}\ 

P{l) = (w^(7) + c(7) + /(7),2c(7) + /(7)) 

Note that our variant function P satisfies property (i) by construction. 
Then, we define the following configuration set: 

CC2 = {7 G F|Vt; G V2, spec{v)} 

In other words, CC2 is the set of configurations in which any potential bride w of V2 satisfies spec{v). 

We can now explain the road-map of our proof. After two preliminaries results (Lemmas ^ and 

[3]) that are used in the sequel, we first show that any configuration of the set CC2 is (2, n)-contained 



for spec (Lemma H|, that is, the set CC2 is closed by actions of SS A4Ai. Then, there remains to 
prove the convergence of the protocol to configurations of CC2 (starting from any configuration) 
to show the strict-stabilization of SSMAi. The remainder of the proof is devoted to the study 
of properties of our variant function P. First, we show in Lemma [5] that any configuration 7 that 
satisfies i-*(7) = (0, 0) belongs to £€2- This proves that P satisfies the property (in). Unfortunately, 
we can prove that our variant function P does not satisfy property (ii) (strict decreasing) since 
Byzantine faults may lead some potential brides to take actions that increase the function value. 
Nevertheless, we prove in Lemmas [6| [7j and [8] that this case may appear only a finite number of 
times and that our variant function is eventually strictly decreasing, which is sufficient to prove 
the convergence to CC2 in Lemma |9j Finally, Lemmas |4] and [9] permit to conclude with Theorem [T] 
that establishes the (2,n)-strict stabilization of SSA4M. A detailed proof follows. 

Lemma 2 For any execution e = 70, 71 . . ., 

- if marriedy holds in 70 for a potential bride v gVi, then married^ holds in ji for all i G N; and 

- if deady holds in 70 for a potential bride v £ V2, then deady holds in ^ji for all i G N. 

Proof Let f be a potential bride of Vi. Hence, any neighbor of u is a honest potential bride. If 
marriedy holds in a configuration 70, then prefy = uAprefu = v holds in 70 by definition. We can 
observe that v and u are not enabled by (M), (S), or by {A) in 79. Consequently, v and u are not 
activated in any execution e starting from 79. In conclusion, marriedy holds in any configuration 
of e. 

Let f be a potential bride of V2. If deady holds in a configuration 70, then prefy = null A (Vu E 
Ny,marriedu = true) holds in 70 by definition. Note that any neighbor of v belongs to Vi (since 
V £ V2). If marriedu holds in 70, then marriedu holds in any configuration of any execution 
starting from 79. Potential Bride v is not enabled by SSMM in 79. No neighbor of v is enabled 
(according to the first part of the proof). Consequently, deady holds in any configuration of any 
execution starting from 70. D 

Lemma 3 For any configuration 7 S CC2, no potential bride ofV2 is enabled by SSMM in 7. 

Proof Let 7 be a configuration of CC2- By definition, 7 satisfies \/v G V2, marriedy V deady. Let v 
be a potential bride of ¥2- 

If marriedy holds in 7, then we have prefy = u and prefy = u by definition. We can observe 
that V is not enabled by rules (M) and (S) in 7 since pref 7^ null and that v is not enabled by 
rule {A) in 7 since prefu = v. 

If deady holds in 7, then we have prefy = null and \/u G Ny, marriedu = true by definition. 
We can observe that v is not enabled by rule (A) in 7 since prefy = null and that v is not enabled 
by rules (M) and (S) in 7 since \/u G Ny, marriedy =^ Br^, prefu = Tui^ v i^ null. 

In both case, v is not enabled in 7. Hence, no potential bride of V2 is enabled in 7. D 

The definition of (IC2 and Lemma [2] allow us to state the following lemma: 

Lemma 4 Any configuration of CC2 is {2, n)- contained for spec. 

Lemma 5 Any configuration 7 € F satisfying P{"f) = (0,0) belongs to CC2. 

Proof If a configuration 7 G F satisfies P{'^) = (0,0), then 11^(7) + 7(7) + 0(7) = 0. Hence, 
no potential bride of V2 is proposing, single, or doomed. Every potential bride v of V2 satisfies 
marriedy V deady. By definition of CC2, we have 7 € CC2. D 



The following lemma is proved in a similar way as the corresponding one of [T^ (considering 
only potential brides of V2)- 

Lemma 6 For any configuration 7 ^ CC2 and any step 7—7-7' in which a potential bride of V2 is 
activated by SSMAi, we have ^(7') < ^^(7)- 

Proof Let 7 be a configuration such that 7 ^ CC2- Consider any step 7 — )• 7' of SSMAi. Since 

the scheduling is central, at most one potential bride t; G V2 is activated during 7 — )• 7'. Consider 

the following cases. 

Case 1: u £ V2 is activated by rule (M) during 7 — ?■ 7'. 

By construction, there exists u G iV^ such that v and u become married during this step. Hence, 

the function w + f + c decreases by at least 1 during this step. Consequently, we have -P(7') < ^^(7). 

Case 2: v G V2 is activated by rule (S) during 7 — )• 7'. 

As prefy = null and there exists u £ N^ such that prefu = null in 7, single^ holds in 7. On 

the other hand, pref^ = u and prefu = null hold in 7', that implies that proposing^ holds in 7'. 

Hence, the function 2c + / decreases at least by one during 7 — )• 7'. 

As rule (5) is enabled in 7, we can deduce that no neighbor of v is proposing after it (otherwise, 
the rule (S) is not enabled for v). So no proposing node in 7 becomes single or doomed in 7'. If 
a neighbor of v is single in 7, it remains single or become dead in 7'. We can conclude that the 
function c + f + w remains equal and that the function 2c + / decreases by exactly one during 
7 — )• 7'. Consequently, we have P{'y') < P{'y)- 
Case 3: v G V2 is activated by rule (A) during 7 — )• 7'. 

As there exists u £ Ny such that pref^ = u, prefu = w, and u) / v in 7, we can deduce that 
doomed^ holds in 7. As pref^ = null holds in 7', we know that single^ V dead^ holds in 7'. Hence, 
the function 2c + / decreases by at least one during 7 — )• 7'. 

If a neighbor of v is single in 7, then it remains single in 7' (note that u cannot become dead 
in 7' since pref^ = null). If a neighbor of v is proposing in 7, it remains in this state because it 
cannot wait for v (recall that pref^ 7^ null in 7). If a neighbor of v is doomed to v in 7, then 
it becomes proposing in 7'. Note that, if n G V2, u leads to a supplementary decreasing of the 
function 2c + / while c + w + f remains equal but, if u ^ V2, then functions 2c + / and c + w + f 
remains equal. We can conclude that the function 2c + / decreases by at least one during 7 — )■ 7'. 
Consequently, we have ^(7') < P{'j)- □ 

Lemma 7 In any execution, P only increases a finite number of times. 

Proof Let f be a potential bride of V . Let e be an execution in which P is not monotonically 
decreasing. Consider the first step 7 — )• 7' of e in which P increases and in which v is activated. 

By Lemma [gI we know that v ^¥2 (otherwise, we have a contradiction with the decreasing of 
P). Then, by construction of P, we know that v £Vi (since actions of potential brides of Vq have 
no effects on values of P). Consequently, u G Vi \ V2- 

Assume that v executes rule {S) during the step 7 — )• 7'. Observe that v is single in 7 but 
becomes proposing in 7. Moreover, any neighbor of v that is single in 7 remains in this state in 
7' and there is no neighbor dead, proposing after v, or doomed after u in 7 (by construction of the 
rule). By Lemma ^ any neighbor of v in V2 remains married in 7' if it is married in 7. Hence, the 
action of v does not modify the state of its neighbors and P is not modified, that contradicts the 
assumption. 



Assume that v executes rule (A) during the step 7 — )• 7'. Observe that v is doomed in 7 but 
becomes single in 7'. Moreover, any neighbor of v that is single in 7 remains in this state in 7'. 
By construction of the rule, there is no neighbor of v that is dead or proposing after v in 7. Any 
neighbor of v that is doomed after f in 7 becomes proposing in 7'. By Lemma [2| any neighbor of v 
in V2 remains married in 7' if it is married in 7. Hence, the action of v leads to a strict decreasing 
of P, that contradicts the assumption. 

Consequently, we know that v is activated by rule (M) during the step 7—7-7'. Then, by 
construction of the rule, we know that v becomes married in 7' and remains in this state during 
the whole execution (by Lemmapl). In particular, v is never activated in the sequel of the execution. 

In conclusion, we obtain that each potential bride of t; G Fi \ V2 executes at most one step that 
decreases P. As the number of potential bride of f G Vi \ V2 is finite, we obtain the result. D 

Lemma 8 For any configuration 70 ^ CC2 and any execution e = 70,71,721 •• • starting from 70, 
there exists a configuration 7j such that P(7j+i) < P{'^i). 

Proof Let 70 be a configuration such that 70 ^ CC2- By contradiction, assume that there exists 
an execution e = 7o,7i,72,--- starting from 70 such that for any i G N, P(7j4.i) > P{'^i). By 
Lemma [gJ that implies that no potential bride of V2 is activated in any step of e. 

As 7o ^ CC2-, there exists v G V2 such that spec{v) does not hold in 79. Hence, v is proposing, 
doomed, or single in 70. Consider the following cases. 

Case 1: w is proposing in 70. By definition, we have 3u ^ Ny, (pref^ = n) A {prefu = null). 
Case 1.1: If u G V2, then we can observe that u is enabled by (M) in 79. Since v and u are never 
activated in e (by Lemma pi), then u remains continuously enabled. As the daemon is fair, u is 
activated in a finite time, that is contradictory. 

Case 1.2: If u ^ V2, then we can observe that u is continuously enabled by (M) from 70 (since v 
is never activated). As the daemon is fair, u executes (M) in a finite time and becomes married. 
If u is married with v, then P decreases, that is contradictory. We can deduce that u becomes 
married with another potential bride and is never activated afterwards (by Lemma pi). Then, v 
becomes doomed and continuously enabled by rule (A). As the daemon is fair, v is activated in a 
finite time and becomes dead or single. In both cases, P decreases, that is contradictory. 
Case 2: v is doomed in 70. By definition, we have {prefv = u) A {prefu = r) /\{r ^ v). 
Case 2.1: If u is activated in e, then we can observe that v is continuously enabled by rule {A). 
As the daemon is fair, v is activated in a finite time, that is contradictory. 

Case 2.2: If u is activated in e, then we know that u ^ V2 (otherwise, we obtain a contradiction). 
Before the first activation of u, we have {prefy = u) A {prefu = r) A {prefr = w) A{r ^ v) A{w ^ u) 
since the only enabled rule when prefu 7^ null is {A). After the execution of {A) by u, v becomes 
proposing after u and we can refer to case 1.2. 

Case 3: If single^ holds in 70, then we have {prefu = null) A {3u G Nu,marriedu = false) by 
definition. Let us study the following cases. 
Case 3.1: u G V2. 

By Lemma [GJ we know that u is never activated in e. Consequently, the fairness of the daemon 
allows us to conclude that prefu = r ^ v. Indeed, in the contrary case, v is continuously enabled 
by (M) \i prefu = v and u and v are continuously enabled by (M) or by {S) if prefu = null. 

If u is doomed, we can refer to case 2 with u playing the role of v while if u is proposing, we 
can refer to case 1 with u playing the role of v, that ends this case. 
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Case 3.2: n G Vi \ V2 

Observe that u cannot be dead since v is single. If u is single, then u is continuously enabled by 
(5) or by (M). If u is doomed, then u is enabled by (A). If u is proposing after a potential bride r 
different than u, then r is continuously enabled by (S) or (M). The fairness of the daemon implies 
that r is activated in a finite time and hence that u remains proposing only a finite time. 

Consequently, we know that, while u is not activated, remains not married, and is not proposing 
after v, u is infinitely often enabled. The fairness of the daemon implies that, while u is not married 
nor proposing after v, u is activated in a finite time. The construction of the algorithm and the 
round robin policy used for the management of the pointer ensure us that u is either married or 
proposing after v in a finite time. 

If u becomes proposing after v, then v becomes enabled by (M) and u is not enabled while v 
is not activated. Hence, the fairness of the daemon leads to an activation of i; in a finite time, that 
is contradictory. 

If u becomes married, then v can remain single or become dead. The first case allows us to 
refer to case 3 again (but this case can arise only a finite number of times since the number of 
neighbors of v is finite). In the second case, we obtain a contradiction since P strictly decrease. 

In any case, we obtain a contradiction in a finite time and we can deduce the lemma. D 

This set of Lemmas allows us to conclude on the following results: 

Lemma 9 Any execution of SSMM reaches a configuration of CC2 in a finite time under the 
central fair daemon. 

Theorem 1 SSM.M. is a (2, n) -strictly stabilizing protocol for spec under the central fair daemon. 

4.3 Optimality of Containment Radius 

This section is devoted to the impossibility result that proves the optimality of the containment 
radius performed by SS AiAi. 

Theorem 2 There exists no (1, l)-strictly stabilizing protocol for spec under any daemon. 

Proof Consider a Byzantine city reduced to a chain of 5 potential brides labelled from left to right 
by vq, vi, ..., V4^. Consider the configuration 7 in which vq (resp. v^) is married with vi (resp. V4). 
Hence, V2 is dead. Observe that 7 belongs to CCi if the potential bride vq is Byzantine-faulty {i.e 
any potential bride of Vi is either married or dead) . 

By definition, any (1, l)-strictly stabilizing protocol for spec must ensure the closure of CCi for 
any execution starting from 7. But we can observe that it is not the case. Indeed, it is sufficient that 
the Byzantine-faulty potential bride breaks its marriage with vi during the first step for violating 
the closure of CCi (since V2 S Vi becomes single). As no protocol can prevent a Byzantine fault 
by definition, we have the result. D 

5 Related Works 

Self-stabilization [U O [20] is a versatile technique that permits forward recovery from any kind 
of transient faults, while Byzantine fault-tolerance [13J is traditionally used to mask the effect of 
a limited number of malicious faults. In the context of self-stabilization, the first algorithm for 



11 



computing a maximal marriage was given by Hsu and Huang [12]. Goddard et al. p!0] later gave a 
synchronous self-stabilizing variant of Hsu and Huang's algorithm. Finally, Manne et al. [T3] gave 
an algorithm for computing a maximal marriage under the distributed daemon. When it comes 
to improving the g-approximation induced by the maximal mariage property, Ghosh et al. [9] and 
Blair and Manne [2] presented a framework that can be used for computing a maximum mariage in 
a tree, while Goddard et al. [TT] gave a self-stabilizing algorithm for computing a i-approximation 
in anonymous rings of length not divisible by three. Manne et al. later generalized this result 
to any arbitrary topology [15]. Note that contrary to our proposal, none of the aforementioned 
marriage construction algorithms can tolerate Byzantine behaviour. 

Making distributed systems tolerant to both transient and malicious faults is appealing yet 
proved difficult [H [3] as impossibility results are expected in many cases (even with complete 
communication topology and in a synchronous setting). A promising path towards multi-tolerance 
to both transient and Byzantine faults is Byzantine containment. For local tasks {i.e. tasks whose 
correctness can be checked locally, such as vertex coloring, link coloring, or dining philosophers), 
strict stabilization [TTJ [16] permits to contain the influence of malicious behavior to a fixed radius. 
This notion was further generalized for global tasks (such as spanning tree construction) using the 
notion of topology-aware strict stabilization [7, 8J . Our proposal is a strictly stabilizing maximal 
marriage protocol that has optimal containement radius. 

6 Conclusion 

We investigated the problem of recovering a catastrophic war by establishing long standing mar- 
riages, despite starting from an arbitrarily devastated state and having traitors trying make the 
global process fail. We presented evidence that no protocol can be completely resilient to traitors 
(as far as their influence containment is concerned), and designed and formally proved a protocol to 
solve the problem that is optimal in that respect. Further work is still needed for determining the 
global possible efficiency of the marriage process. It is known that in a scenario without traitors, 
a given maximal marriage |121 [TJ] is a factor 2 from the optimal (over all possible maximal mar- 
riages), yet more efficient solutions (with respect to the approximation ration) are possible [15j . 
Extending those works to Byzantine-faulty setting is a challenging further work. 

References 

[1] Nicolo Barbaro. Diary of the Siege of Constantinople. Translation by John Melville- Jones, 
New York, 1453. 

[2] Jean R. S. Blair and Fredrik Manne. Efficient self-stabilizing algorithms for tree network. In 
ICDCS, pages 20-, 2003. 

[3] Ariel Daliot and Danny Dolev. Self-stabilization of byzantine protocols. In Ted Herman and 
Sebastien Tixeuil, editors, Self-Stabilizing Systems, volume 3764 of Lecture Notes in Computer 
Science, pages 48-67. Springer, 2005. 

[4] Edsger W. Dijkstra. Self-stabilizing systems in spite of distributed control. Commun. ACM, 
17(ll):643-644, 1974. 



12 



[5] Shlomi. Dolev. Self-stabilization. MIT Press, March 2000. 

[6] Shlomi Dolev and Jennifer L. Welch. Self-stabilizing clock synchronization in the presence of 
byzantine faults. J. ACM, 51(5):780-799, 2004. 

[7] Swan Dubois, Toshiniitsu Masuzawa, and Sebastien Tixeuil. The impact of topology on byzan- 
tine containment in stabilization. In Proceedings of DISC 2010, Lecture Notes in Computer 
Science, Boston, Massachusetts, USA, September 2010. Springer Berlin / Heidelberg. 

[8] Swan Dubois, Toshimitsu Masuzawa, and Sebastien Tixeuil. On byzantine containment prop- 
erties of the min+1 protocol. In Proceedings of SSS 2010, Lecture Notes in Computer Science, 
New York, NY, USA, September 2010. Springer Berlin / Heidelberg. 

[9] Sukumar Ghosh, Arobinda Gupta, Mehmet Hakan, Karaata Sriram, and V. Pemmaraju. Self- 
stabilizing dynamic programming algorithms on trees. In in Proceedings of the Second Work- 
shop on Self- Stabilizing Systems, pages 11-1, 1995. 

[10] Wayne Goddard, Stephen T. Hedetniemi, David Pokrass Jacobs, and Pradip K. Srimani. Self- 
stabilizing protocols for maximal matching and maximal independent sets for ad hoc networks. 
In IPDPS, page 162, 2003. 

[11] Wayne Goddard, Stephen T. Hedetniemi, and Zhengnan Shi. An anonymous self-stabilizing 
algorithm for 1-maximal matching in trees. In PDPTA, pages 797-803, 2006. 

[12] Su-Chu Hsu and Shing-Tsaan Huang. A self-stabilizing algorithm for maximal matching. Inf. 
Process. Lett, 43(2):77-81, 1992. 

[13] Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. The byzantine generals problem. 
ACM Trans. Program. Lang. Syst, 4(3):382-401, 1982. 

[14] Fredrik Manne, Morten Mjelde, Laurence Pilard, and Sebastien Tixeuil. A new self-stabilizing 
maximal matching algorithm. Theoretical Computer Science (TCS), 410(14):1336-1345, March 
2009. 

[15] Fredrik Manne, Morten Mjelde, Laurence Pilard, and Sebastien Tixeuil. A self-stabilizing 2/3- 
approximation algorithm for the maximum matching problem. Theoretical Computer Science 
(TCS), 412(40):5515-5526, September 2011. 

[16] Toshimitsu Masuzawa and Sebastien Tixeuil. Stabilizing link-coloration of arbitrary networks 
with unbounded byzantine faults. International Journal of Principles and Applications of 
Information Science and Technology (PAIST), 1(1):1-13, December 2007. 

[17] Mikhail Nesterenko and Anish Arora. Tolerance to unbounded byzantine faults. In 21st Sym- 
posium on Reliable Distributed Systems (SRDS 2002), pages 22-29. IEEE Computer Society, 
2002. 

[18] Marshall C. Pease, Robert E. Shostak, and Leslie Lamport. Reaching agreement in the presence 
of faults. J. ACM, 27(2):228-234, 1980. 

[19] Gerard Tel. Maximal matching stabilizes in quadratic time. Inf. Process. Lett., 49(6):271-272, 
1994. 

13 



[20] Sebastien Tixeuil. Algorithms and Theory of Computation Handbook, Second Edition, chapter 
Self-stabilizing Algorithms, pages 26.1-26.45. Chapman & Hall/CRC Applied Algorithms and 
Data Structures. CRC Press, Taylor &: Francis Group, November 2009. 



14 



